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Internet Statistics (June 2009) 


¢ 1.6 billion global Internet users 

¢ 252 million Internet users in North America. 
¢ 74% of North American population are Internet users. 
¢ 200,000+ links between ISP’s and the Internet 


¢ Two billion Google web searcher/day 
¢ Internet attacks from China are 28% of all attacks. 
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Example: AT&T Internet Service Provider’s Network (USA 
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How Internet is Organized 


Backbone Connections 


Internet Service Providers 
Points of Service 


Wide Area Networks 
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Local Area Networks 


9.6 Gb/sec 


622 Mb/sec 


52 Mb/sec 


20 Mb/sec 


5 Mb/sec 


All Internet Transmissions via “Packets” 
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All Packets Traverse Open System Interconnection Layers 
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All Internet Transmissions are in “Hops” (Elapsed time 6 seconds) 


From: jtmessert@optonline.net 7 Dec 2008 15:05:39 
1. Received: from 48151 invoked from network 

. Received: from localhost (localhost [127.0.0.1]) 

. Received: from rn-out-0910.google.com 

. Received: by rn-out-0910.google.com 

. Received: by 10.100.255.10 

. Received: by 10.100.124.12 

. Received: by 10.65.53.19 

. Received: from qs1473.pair.com 

9. Received: from localhost [127.0.0.1] 

10. Received: from mta3.srv.hcviny.cv.net 

11. Received: from [10.240.3.210] 

Forwarded-To: paul@strassmann.com 7 Dec 2008 15:05:45 
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Above message = 29 “packets” 9 


George Mason University, 10/13//09 


Connections to and from the Global Information Grid (GIG 
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New Trojan Viruses 


¢ Generic Packed.c!29595758b285 
¢ Backdoor-DZP!b13e831/ce/6 

¢ Downloader-BPJ!8d0c2b001a6d 
¢ Backdoor-DZP!3e294099cc63 

¢ PWCrack-Winspy!d0623f353f1f 
¢ Generic.dx!926/6e18/6bf 

¢ Generic FakeAlert!htm 

¢ Generic PWS.y!leadcb29986ea 

¢ FakeAlert-DI!7eb610c60513 

¢ Downloader-BRW!9953f6b811 73 
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List of Botnets 


Millions of 
Top Botnets on : . 
Compromised Function 
07/22/2009 
US Computes 
Steals user names, passwords, account 
Zeus : 
numbers and credit card numbers. 
Koobface Take control over the entire computer 
TidServe Techniques to run inside the root of 


Windows 


Trojan.Fakeavalert Downloads other malware 


Posts encrypted data to its command- 
and-control domains and receives 
instruction. 


TR/Didr.Agent.JKH 


Monkif Downloads adware 


Worm makes copies of itself to 
Hamweq 0.48 distribute information from the 
compromised system 
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New Microsoft Security Vulnerabilities 


¢ Office Web Components Activex Code Execution 


Vulnerability 07/13/2009 

¢ Cumulative Security Update of ActiveX Kill Bits 
07/14/2009 

¢ DirectShow Video ActiveX Control Vulnerability 
07/04/2009 

¢ DirectShow DirectX Size Validation Vulnerability 
07/14/2009 

¢ DirectShow DirectX Pointer Validation Vulnerability 
07/14/2009 


¢ Virtual PC and Virtual Server Privileged Instruction 
Decoding Vulnerability 07/14/2009 
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About Attacks on Desktops, Laptops and Smart Phones 


¢ Inadequate protection from anti-virus software; 
¢ Inadequate protection provided by firewalls. 


¢ Damage is local (LAN’s, WAN’s). 
¢ Damage is limited and temporary. 


¢ Cyber warfare attacks the Internet infrastructure. 
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Routing INTERNET Messages through Routers & Switches 
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Principal Attack Scenarios on Internet Switches 


¢ Flooding Attacks on a Switch 

¢ Address Resolution Spoofing 

¢ “Man-in-the-Middle” Attack 

¢ Denial of Service Attack 

¢ Switch Hijacking Attack 

¢ Spanning Tree Attack 

¢ The Root Claim Attack 

¢ Forcing Eternal Root Election Attack 
¢ VLAN Hopping Attack 
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Flooding Attacks on a Switch: 


¢ There are attack tools that can auto generate over 
100,000 bogus entries per minute, which then 
overloads the switch so that it malfunctions. 
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Address Resolution Spoofing 


¢ Allows an attacker to sniff the data flowing to a local 
area network. The traffic is either modified, or a 
denial of service condition is created. 


21 
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“Man-in-the-middle” Attack 


¢ Adds a third party destination without the legitimate 
recipients being aware. The third party can extract 
passwords and confidential data. 
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Denial of Service Attack: 


¢ The switch will be jammed and therefore will not 
deliver packets. The switch will then time out, 
stopping all traffic. 
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Switch Hijacking Attack 


¢ The switch will inject illegitimate connections that will 
pretend to be authentic. The added connections will 
take over control without the recipients being aware. 
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Spanning Tree Attack 


¢ Allows the inclusion of spare links as backup paths. 
Communications are then routed also to illegitimate 


links. 
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The Root Claim Attack 


¢ Bogus bridge protocols are used to designate the 
attacker's station as the new root bridge. Once in 
control a variety of malicious attacks can be then 
launched from the attacker. 
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Forcing Eternal Root Election Attack 


¢ Makes the network unstable by tampering with the 
routing algorithm to keep searching for the root 
switch, without ever finding it. Transactions time out. 
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VLAN Hopping Attack 


¢ Subdivision into different local area networks will be 
compromised if an attacker manages to send 
messages to the wrong links. 

¢ When LANs support separately the NIPRNET and the 
SIPRNET one of them can be used to initiate a denial 
of service attack on the other. 
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Principal Attack Scenarios on Internet Routers 


¢ Promiscuous Mode Corruption 
¢ Router Table Attacks 

¢ Router Information Attacks 

¢ Shortest Path Attacks 

¢ Border Gateway Attacks 

¢ Border Gateway Poisoning 
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Promiscuous Mode Corruption 


¢ The router masquerade as a “Super-user’ with 
software control privileges. Many router operating 
systems make “super-user’ privileges available for 
maintenance or for software updating reasons. 


¢ The attacker uses the vendor instructions to acquire 
“super user’ Status. 
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Router Table Attacks 


¢ An attacker creates messages that look legitimate 
and can be then inserted into the routing table so that 
transactions can be redirected. 
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Router Poisoning Attacks 


¢ Router poisoning is a method used to prevent 
formation of routing loops within networks. 

¢ A“hop” count will then indicate to other routers that a 
route is no longer reachable and should be removed 
from their respective routing tables. The desired 
destination for the packets will cease to function. 
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Shortest Path Attacks 


¢ Each router passes the status of its links to its 
neighbors who in turn forward this information to 
other routers in the network. 

¢ As result of such passing each router has the link 
information for all other routers and eventually has 
the picture of the entire network topology. 

¢ In acompromised table the calculated shortest paths 
will be incorrect and the shortest paths will be purged. 
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Border Gateway Attacks 


¢ The Border Gateway protocol does not assure data 


integrity and does not provide source authentication. 


This protocol is the core routing protocol of the 
Internet, but can be tampered with by making 
changes to the router software. 
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Black Hole Attack 


¢ By making use of router vulnerabilities, various kinds 
of attacks can be launched to compromise the routing 
through software changes. 

¢ Aspecial case is the “Black Hole” attack where the 
router directs a packet to a network where packets 
enter but do not come out. 
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Principal Attack Scenarios on Domain Name System (DNS 


¢ Address Starvation Attack 

¢ Attacks Using Rogue Servers 

¢ Attacks Using Bogus Default Gateway 
¢ DNS Database with Malicious Records 
¢ DNS Spoofing With a Sniffer 

¢ DNS Flooding Attack 

¢ Spoofed Responses to a DNS Server 
¢ Buffer Overflow Attack 

¢ Denial of Service Attack 
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Summary 
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About Attacks on Internet 


¢ Itis Asymmetric Warfare. 

¢ Principal technique is masquerading. 

¢ Public Key Infrastructure Authentication mandatory. 
¢ Every transaction must be monitored. 

¢ Use intelligence methods to investigate cases. 
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Immediate Priority: Control Routers and Switches 


¢ Separate GIG routers and switches from public 
Internet. 


¢ Centrally manage dedicated routers and switches on 
the GIG. 


¢ Intercept “malware” in the GIG, not at user end. 
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Implement Cloud Computing and Protect Databases 


¢ Consolidate all servers through virtualization. 
¢ Architect “cloud” connectivity. 

¢ Eliminate “fat clients”. 

¢ Encrypt databases. 
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Take Away 


For follow up questions: 


¢ pstrassm@gmu.edu 
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